I have refrained from writing about the recent cybersecurity incident affecting MyHeritage because of my relationship with the company. I didn’t want to write anything that could be seen as either a positive or a negative comment. I prefer to remain neutral and let everyone interpret the facts as they wish. However, the news services are now full of stories about the incident and some of those stories are highly inaccurate. Therefore, I will simply mention it here, invite everyone to read the details for themselves in the MyHeritage Blog, and then offer my comments.
The MyHeritage Blog provides the details at https://blog.myheritage.com/2018/06/myheritage-statement-about-a-cybersecurity-incident/ and then the follow-up article at https://blog.myheritage.com/2018/06/cybersecurity-incident-june-5-6-update/.
OK, having written the disclaimer above, I will now give my (possibly biased) interpretation of the incident:
It wasn’t much of a break-in.
The hackers stole a LOT of email addresses, but nothing else. They didn’t get any passwords simply because MyHeritage has rather good, although obviously not perfect, security. MyHeritage doesn’t save passwords so hackers cannot steal passwords from the company. The hackers also apparently did not obtain any other personal information, such as addresses, telephone numbers, credit card numbers, or anything else like that.
If MyHeritage had perfect security, the hackers wouldn’t have been able to access the email addresses at all. I guess the hackers now can send all of us spam mail to the stolen addresses but that’s about the worst thing they can do. There is no need for anyone to notify their bank or credit card company.
The folks at MyHeritage did the right thing, however. They wrote:
“Although no passwords leaked but only hashed versions of the passwords, we encouraged our users to change their password, and many already did so. However, to maximize the security of our users, we have started the process of expiring ALL user passwords on MyHeritage.”
The requirement to change passwords is a good security precaution. It will inconvenience users who have to change their passwords but is still the prudent thing to do, “just in case” there was a bigger problem than what is believed to have happened. I changed my password a few minutes ago on MyHeritage and you will have to do the same if you have an account there.
I noticed that several online reports claim that hackers obtained both user names and passwords but that is incorrect, according to MyHeritage’s senior managers. The truth can be found in the MyHeritage Blog.
Again, that’s not much of a break-in.
You can find the details at https://blog.myheritage.com/2018/06/myheritage-statement-about-a-cybersecurity-incident/ and then the follow-up article at https://blog.myheritage.com/2018/06/cybersecurity-incident-june-5-6-update/.
– Dick Eastman